1. Field of the Invention
The present invention relates to code scanning and, more specifically, to a method and computer program product for scanning the source code for pre-defined patterns.
2. Background Art
A typical enterprise in a public sector, as well as enterprises in the banking sector, often uses several programs that are custom-written internally by in-house developers or outside contractors. Most of these programs have no external connection, and, as a result, are rarely audited in their entirety. These programs generally deal with business processes, and, as such, are rarely manually audited, since such an audit is expensive and would stop all internal processes for weeks. Yet, a developer can insert a backdoor access code, hardcoded passwords and other login and authentication data in a form of a malicious code injection into the source code. Thus, the developer can gain access to some resources and bank accounts using the custom code he had written. Therefore, the code needs to be checked. However, manual analysis of hundreds of thousands of lines of code would take a long time. During this time the business processes would have to be interrupted. Note that code audit has to be performed by a third party and not by the developing team that produced the code.
Code parsers are computer programs that can perform syntax analysis of the code. However, the conventional code parsers do not detect most of the vulnerabilities created by dishonest developers. Furthermore, the conventional parsers do not parse the executable code on-the-fly. Conventional scanners scan for potential vulnerabilities that are introduced by careless developers, rather than malicious ones. As such, better-hidden vulnerabilities are ignored by conventional scanners by design.
Accordingly, there is a need in the art for an automated scanning solution that provides the enterprises with an ability to scan the code of their business process software without freezing the business processes for a long period of time.